Detecting vulnerabilities in configuration code of a cloud environment utilizing infrastructure as code

ABSTRACT

A system and method for detecting a vulnerable code object in configuration code for deploying instances in a cloud computing environment is disclosed. The method includes accessing a configuration code, the configuration code including a plurality of code objects, each code object of the plurality of code objects corresponding to a deployable virtual instance; querying a security graph to detect a node having an attribute value which matches a value extracted from a first code object of the plurality of code objects, wherein the security graph includes a representation of a cloud computing environment; and generating a mitigation action in response to determining that the detected node is associated with a cybersecurity issue.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.63/264,550 filed on Nov. 24, 2021. This application also claims thebenefit of U.S. Provisional Application No. 63/283,376 filed on Nov. 26,2021, U.S. Provisional Application No. 63/283,378 filed on Nov. 26,2021, and U.S. Provisional Application No. 63/283,379 filed on Nov. 26,2021, the contents of which are hereby incorporated by reference. All ofthe applications referenced above are hereby incorporated by reference.

TECHNICAL FIELD

The present disclosure relates generally to cybersecurity and, inparticular, to improved scanning of virtual instances utilizinginfrastructure as code.

BACKGROUND

As users migrate data storage, processing, and management tasks todecentralized, off-location devices, platforms, and services, thelimitations of such devices, platforms, and services, also referred toas cloud environments, platforms, and the like, may impact a user’s dataoperations. Specifically, vulnerabilities within cloud-deployedresources and processes may present unique challenges requiringremediation. Due to the scale and structure of cloud systems, detectionof workload vulnerabilities, which detection may be readily-provided innon-cloud deployments, may require numerous, complex tools andoperations.

Current solutions to cloud workload vulnerability scanning challengesrequire the deployment of specialized tools, including scanning agentsdirected to maintenance of virtual machines (VMs), where operation andmaintenance of such tools may be costly, time-consuming, or both.Agent-dependent processes fail to provide for scanning of containers,such as containers managed using Kubernetes®, and other, like,container-management platforms, and may fail to provide for coverage ofserverless applications. Where such agent-implementation processes failto provide for full cloud workload vulnerability scanning, additionalmethods, such as snapshot-based scanning, may supplement implementedsolutions.

Snapshot-based scanning, wherein static “snapshots” of processes,services, data, and the like, are analyzed in an environment separatefrom the source environment, provides for agentless scanning.Snapshot-based scanning is applied in various fields, including computerforensics, to provide for analysis of services, processes, data, and thelike, in locations or environments other than those from which thesnapshots are collected, as well as retrospective analysis. However, theapplicability of snapshot-based scanning is limited in multi-tenantsystems, such as shared cloud platforms, as cloud tenants may desirehigh levels of data protection during snapshot generation, transfer, andanalysis. Further, snapshot-based scanning methods, as well as hybridmethods including both agent-implemented and snapshot-based methods, maybe inapplicable to certain cloud system structures and environments,which may include various objects, processes, and the like, which suchmethods may not be configured to process, as such processing mayrequire, as examples, separate analysis of container repositories, VMsnapshots, and application programming interfaces (API) for serverlessapplications, where existing solutions fail to provide such integratedfunctionality.

Further complicating matters is deployment of cloud environmentsutilizing infrastructure as code (IaC) systems. While aimed atdecreasing human error when deploying cloud environments, there is oftena drift from the original configuration code to the current state of theproduction environment. A complication may arise due, for example, todifferent teams working on the development environment (configurationcode) and the production environment (deployed instances). Current toolssuch as Checkov and Accurics allow to scan for misconfigurations andpolicy violations, but are limited to scanning only configuration code.CI/CD (continuous integration / continuous deployment) and driftingconfigurations mean that scanning the configuration code is not alwaysenough to get a precise understanding of where threats andvulnerabilities currently exist, since this is a moving target.

It is apparent that it would be advantageous to provide a solution whichcan scan for vulnerabilities in an improved and efficient manner.

Furthermore, it would, therefore, be advantageous to provide a solutionthat would overcome the challenges noted above.

SUMMARY

A summary of several example embodiments of the disclosure follows. Thissummary is provided for the convenience of the reader to provide a basicunderstanding of such embodiments and does not wholly define the breadthof the disclosure. This summary is not an extensive overview of allcontemplated embodiments, and is intended to neither identify key orcritical elements of all embodiments nor to delineate the scope of anyor all aspects. Its sole purpose is to present some concepts of one ormore embodiments in a simplified form as a prelude to the more detaileddescription that is presented later. For convenience, the term “someembodiments” or “certain embodiments” may be used herein to refer to asingle embodiment or multiple embodiments of the disclosure.

Certain embodiments disclosed herein include a method for detecting avulnerable code object in configuration code for deploying instances ina cloud computing environment. The method comprises: accessing aconfiguration code, the configuration code including a plurality of codeobjects, each code object of the plurality of code objects correspondingto a deployable virtual instance; querying a security graph to detect anode having an attribute value which matches a value extracted from afirst code object of the plurality of code objects, wherein the securitygraph includes a representation of a cloud computing environment; andgenerating a mitigation action in response to determining that thedetected node is associated with a cybersecurity issue.

Certain embodiments disclosed herein also include a non-transitorycomputer readable medium having stored thereon causing a processingcircuitry to execute a process, the process comprising: accessing aconfiguration code, the configuration code including a plurality of codeobjects, each code object of the plurality of code objects correspondingto a deployable virtual instance; querying a security graph to detect anode having an attribute value which matches a value extracted from afirst code object of the plurality of code objects, wherein the securitygraph includes a representation of a cloud computing environment; andgenerating a mitigation action in response to determining that thedetected node is associated with a cybersecurity issue.

Certain embodiments disclosed herein also include a system for detectinga vulnerable code object in configuration code for deploying instancesin a cloud computing environment. The system comprises: a processingcircuitry; and a memory, the memory containing instructions that, whenexecuted by the processing circuitry, configure the system to: access aconfiguration code, the configuration code including a plurality of codeobjects, each code object of the plurality of code objects correspondingto a deployable virtual instance; query a security graph to detect anode having an attribute value which matches a value extracted from afirst code object of the plurality of code objects, wherein the securitygraph includes a representation of a cloud computing environment; andgenerate a mitigation action in response to determining that thedetected node is associated with a cybersecurity issue.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter disclosed herein is particularly pointed out anddistinctly claimed in the claims at the conclusion of the specification.The foregoing and other objects, features, and advantages of thedisclosed embodiments will be apparent from the following detaileddescription taken in conjunction with the accompanying drawings.

FIG. 1 is a network diagram of a monitored cloud computing environmentutilizing infrastructure as code (IaC) utilized to describe the variousembodiments.

FIG. 2 is a flowchart of a method for inspecting configuration codeutilizing a security graph, implemented in accordance with anembodiment.

FIG. 3 is a schematic illustration of a portion of a security graph forcybersecurity risk assessment of virtual instances in a cloud computingenvironment, implemented in accordance with an embodiment.

FIG. 4 is a schematic illustration of a code inspector implementedaccording to an embodiment.

FIG. 5 is a code object, shown in accordance with an embodiment.

DETAILED DESCRIPTION

It is important to note that the embodiments disclosed herein are onlyexamples of the many advantageous uses of the innovative teachingsherein. In general, statements made in the specification of the presentapplication do not necessarily limit any of the various claimedembodiments. Moreover, some statements may apply to some inventivefeatures but not to others. In general, unless otherwise indicated,singular elements may be in plural and vice versa with no loss ofgenerality. In the drawings, like numerals refer to like parts throughseveral views.

Infrastructure as code (IaC) allows fast and reliable deployment ofworkloads and accounts in cloud based computing environments. A workloadmay be, for example, a virtual machine, a container, or a serverlessfunction. A virtual machine may be implemented for example as an Oracle®VM VirtualBox hypervisor, a container may be implemented on aKubernetes® platform, and serverless function may be implemented asAmazon® Web Services (AWS) Lambda. Accounts may be user accounts,service accounts, roles, and the like.

Typically, the deployed environment, also known as a productionenvironment, differs over time from the initial deploymentconfiguration, due for example to upgrades and patches implemented inproduction but not always updated in configuration code. This can occurfor example due to human error. Furthermore, many deploymentenvironments utilize a continuous integration, continuous deployment(CI/CD) approach, for which a plurality of deployment environments areused. A cloud computing environment is designed, in an embodiment,utilizing infrastructure as code tool and other development tools in adevelopment (i.e., dev) environment, and deployed to a test environmentwhere code is tested. In an embodiment, code which passes tests,benchmarks, and the like, is then deployed to a staging environmentwhich is similar to the production environment. In each of theseenvironments, a single code object can correspond to multiple machineswhich are deployed based on the code object, each of which can be hostto cybersecurity vulnerabilities. For example, a code object includes acode instruction which when executed to deploy a workload, configures aworkload having a misconfiguration. If the misconfiguration is detectedand corrected in the production environment, the code remains faulty andtherefore the next machine deployed based off of the code will also havea misconfiguration.

In an embodiment, a security graph includes a representation of aproduction environment. The security graph is utilized in inspecting theconfiguration code to ascertain that code objects comply with thespecification of the production environment. For example, the securitygraph is queried, in an embodiment, to detect a node representing aworkload, which corresponds to an identifier of a code object. Byutilizing information represented in the security graph of theproduction environment and applying it to code objects, cybersecuritythreats can be detected faster, and to the point where they originate.

Alerts may be generated to indicate that the configuration code wouldresult in a new production environment which is deficient, for exampledue to vulnerability, when compared with the current productionenvironment.

While declaratory code is used precisely because it is intuitive forhumans to read and write declaratory code, it should be appreciated thatinspecting such code for cybersecurity issues is not a task that can beperformed by humans. Specifically, inspecting code to detect acybersecurity issue needs to be performed in a reliable and consistentmanner, and done so repeatedly over often thousands of lines of code.Even if it were practical for a human to read through thousands of linesof computer code within any meaningful time frame (cloud computingenvironments are elastic and constantly changing) , doing so whilesearching for hundreds of thousands of various cybersecurity issues isimpossible. Furthermore, humans are not capable of performing such tasksrepeatedly and reliably, as they apply objective standards to what is acybersecurity issue.

By contrast, an embodiment of the system disclosed herein appliesobjective criteria in detection of cybersecurity issues, and does so ina manner which is reliable, consistent, and in a timeframe which isrelevant to the operation of a cloud computing environment.Additionally, methods disclosed herein provide for improved efficiencyof computer systems, by reducing use of memory, processors, and thelike.

FIG. 1 is a network diagram 100 of a monitored cloud computingenvironment utilizing infrastructure as code (IaC) utilized to describethe various embodiments.

A client device 110 generates a configuration code file 120 based oninput from one or more users (e.g., software programmers). In anembodiment, a client device is a personal computer, a tablet, a laptop,and the like. In some embodiment, a client device 110 is used to accessa server (not shown) which provides a computing environment into whichinput can be provided. It should be apparent that the client device 110is shown here for simplicity and pedagogical purposes, and that theconfiguration code file 120 is generated, in other embodiments, by theclient device, a virtual workload in a cloud computing environment, acombination thereof, and the like. In certain embodiments, theconfiguration code file 120 is generated by multiple different clientdevices. For example, a plurality of users may each utilize a differentclient device and update a single configuration code file 120, forexample, with code objects. In some embodiments, a single client device110 generates multiple configuration code files.

In an embodiment the configuration code file 120 is implemented in adeclaratory computer language. In a declaratory computer language, auser declares resources they would like to have as code objects, and anorchestrator, such as orchestrator 130, is configured to deployworkloads in a cloud computing environment based on the declarations.For example, an orchestrator 130 is configured, in an embodiment, totranslate a declaratory code to a configuration code, which includesinstructions which when executed configure a cloud computing environmentto deploy a workload, virtual instance, and the like.

In certain embodiments, multiple configuration code files 120 may beutilized. For example, a user may operate multiple cloud environments,each with its own configuration code. For example, a first configurationcode file is directed to deploying a cloud computing environment overMicrosoft® Azure, while a second configuration code file is directed todeploying a cloud computing environment over Amazon® Web Services (AWS).

As another example, a user can declare a first resource type (e.g.,virtual machine) for a first cloud environment (e.g., AWS) and for asecond cloud environment (Google® Cloud Platform - GCP) in a firstconfiguration code file, and a second resource type (e.g., softwarecontainer) for the first cloud environment (AWS) and the second cloudenvironment (GCP) in a second configuration code file.

In an embodiment, an orchestrator 130 is configured to receive theconfiguration code file 120. In certain embodiments, the orchestrator130 is configured to initiate actions in a cloud computing environment140, for example, to deploy workloads, instances, user accounts, serviceaccounts, combinations thereof, and the like, based on declarations ofthe configuration code file 120. In an embodiment, an instance is avirtual instance, and may be, for example a virtual machine 142,software container 144, a serverless function 146, and the like.

In some embodiments, the orchestrator 130 is configured to deployworkloads by assigning (also known as provisioning) cloud computingenvironment resources, such as processors, memory, storage, etc. to theworkload. In an embodiment, workloads are deployed in a productionenvironment, which is a cloud computing environment having operablecode, used for providing access to data and providing software services.In some embodiments, configuration code is implemented in a development(dev) environment, which also utilizes a cloud computing environment.

In some embodiments, a plurality of workloads are associated with afirst code object (not shown) of the configuration code file 120.Workloads which are all deployed based on a same code object (i.e., thefirst code object) are known as a virtual instance (or “instance”) ofthe first code object. In an embodiment, associating a workload with acode object includes assigning a name to the instance based on anidentifier of the code object.

This provides an advantage where it is required to deploy multipleinstances which share similar configurations, such as web serversproviding access to a website. Rather than configure each instancemanually and individually, an orchestrator 130 is configured to deploy anumber of the same workload based on the configuration code file 120.

In some embodiments the orchestrator 130 may configure a cloud-nativeorchestrator (not shown) in the cloud computing environment 140 todeploy the instances. This may be advantageous, for example, whereinstances need to be deployed in different cloud environments.

For example, the same instances may be deployed simultaneously onGoogle® Cloud Platform (GCP), Amazon® Web Services (AWS), or Microsoft®Azure. This can be achieved by configuring the orchestrator 130 togenerate native instructions for a cloud native orchestrator in eachenvironment to deploy such instances. The native instructions aregenerated by the orchestrator 130 in an embodiment. The instructions aregenerated based on objects detected in the configuration code file 120.

This method of deploying instances decreases errors by eliminating theneed for a user to manually deploy each instance and configure eachinstance separately, and is also thus a faster method of deployment. Ahuman is not able to consistently and reliably initiate deployment ofvirtual instances, and then configure hundreds or thousands of suchinstances to match the same specification. In the example above a firstload balancer may be deployed in a first cloud computing environment,and a second load balancer may be deployed in a second cloud computingenvironment, each cloud computing environment having differentinfrastructure from each other, wherein the first load balancer and thesecond load balancer are deployed based on the same code object from aconfiguration code file.

In an embodiment, the first cloud computing environment 140 is coupledwith a second cloud computing environment 150, which is configured toinspect the first cloud computing environment 140 for cybersecuritythreats. In an embodiment, the second cloud computing environment 150(also referred to as inspection environment 150) is further configuredto receive the configuration code file 120.

In some embodiments, the second cloud environment 150 is utilized forinspecting the first cloud computing environment 140 and generatingcybersecurity risk assessments for instances deployed in the first cloudcomputing environment 140.

In certain embodiments, the second cloud environment 150 includes aplurality of inspectors, such as inspector 160. An inspector is aworkload which is configured to inspect another workload forcybersecurity objects, such as a secret, a file, a folder, a registryvalue, a weak password, a certificate, a malware object, a hash, amisconfiguration, a vulnerability, an exposure, a combination thereof,and the like. In an embodiment, an inspector 180 is configured toinspect for a plurality of cybersecurity object types.

For example, in an embodiment, an inspector is configured to inspect thevirtual machine 142 for a predetermined cybersecurity object, inresponse to receiving an instruction to inspect the virtual machine 142.In an embodiment the instruction is received through an API (not shown)of the first cloud computing environment 140. In some embodiments, aninspectable disk is generated based on a volume (not shown) attached tothe virtual machine 142, and the inspectable disk is provided to thesecond cloud computing environment 150 for inspection. In an embodiment,generating an inspectable disk includes generating a clone of thevolume, generating a copy of the volume, generating a snapshot of thevolume, and the like. In an embodiment, a software container is deployedin the second cloud computing environment 150 and attached to a volumegenerated in the second cloud computing environment 150 based on thereceived snapshot. The inspector 160 is configured, in an embodiment, toinspect the attached volume for a predefined cybersecurity object type.In an embodiment, the inspector 160 is configured to generate data whichis stored on a security graph 170. In some embodiments, a node is storedon the security graph 170 to represent an inspected resource. In anembodiment, data generated by the inspector 160 is stored on the noderepresenting the workload which the inspector 160 inspected for acybersecurity object.

In an embodiment, the security graph 170 is stored on a graph database.The security graph 170 includes a representation of a cloud computingenvironment. In an embodiment, the representation includes a pluralityof nodes, at least a portion of which each represent a resource or aprincipal. A resource is a cloud entity which provides access to aservice, computer hardware (e.g., processor, memory, storage, and thelike), and the like. In an embodiment, a resource is a workload, such asa virtual machine, serverless function, software container, and thelike. A principal is a cloud entity which is authorized to initiateactions in a cloud computing environment, and is authorized to act on aresource. In an embodiment, a principal is a user account, a user group,a service account, and the like.

In certain embodiments, the security graph 170 further includesenrichment nodes, which represent certain redetermined functionalities,network access, and the like. For example, an enrichment node may beused to represent access to a public network, such as the Internet.Thus, a node representing a workload which has access to a publicnetwork, or can be accessed through a public network, is connected inthe security graph 170 to an enrichment node representing public networkaccess.

In an embodiment, a code inspector 180 is further deployed in the secondcloud computing environment 150. In some embodiments, a plurality ofcode inspectors are deployed. In certain embodiments, configuration codeis generated by multiple different type of platforms, such as Pulumi®,Terraform®, and the like.

In some embodiments, a first code inspector is configured to inspectconfiguration code generated using Pulumi®, while a second codeinspector is configured to inspect configuration code generated usingTerraform®. In an embodiment, the code inspector 180 is realized as aworkload, such as an application deployed on a software container,configured to receive configuration code and inspect the configurationcode to detect a predetermined type of code object. In an embodiment, atype of code object is, for example, a secret (such as a public key, ora private key), a resource type, an application identifier, a policyidentifier, a role identifier, a status of a flag, and the like. A flagstatus indicates, in an embodiment, that a certain object is allowed toperform certain actions, such as network access, or assume a role, suchas an administrator role (in the case of a user or service account).

In an embodiment, the code inspector 180 is configured to match thedetected object to a node in the security graph 170. This is discussedin more detail with respect to FIG. 2 below.

FIG. 2 is an example flowchart 200 of a method for inspectingconfiguration code utilizing a security graph, implemented in accordancewith an embodiment. In an embodiment, configuration code in adevelopment (dev) environment is inspected based on a security graphwhich is generated at least in part based on a production environment.

A production environment is rarely, if at all, identical to theenvironment which is deployed initially by code. This is due to, forexample, upgrades and patches implemented in the production environmentto address issues caused by the code deployment. Drifting configuration,or configuration drift, describes how a production environment, overtime, ‘drifts’ further away from the initial configuration code design.Therefore, inspecting only one environment for cybersecurity threats isnot enough, and it is advantageous to inspect both.

In an embodiment, the security graph includes representations of theconfiguration code (e.g., representing code objects) and the productionenvironment (e.g., representing resources and principals). By inspectinga configuration code file based on a security graph generated from dataof a production environment, insight can be gained, and deploymentissues may be caught early on, for example to identify instances whichif deployed based on a current version of configuration code wouldinclude a version of software which the production environment hasalready upgraded to a newer version. In an embodiment, the method isperformed by a configuration code inspector, such as the code inspector180.

At S210, configuration code is received. In an embodiment, theconfiguration code includes a plurality of code objects. In certainembodiments, a portion of the code objects correspond to instances whichare deployed in a cloud computing environment. In an embodiment, theconfiguration code is scanned or otherwise inspected as a textualobject. For example, a configuration code is searched for regularexpressions (regex), strings, and the like.

At S220, a first code object is extracted from the received code.Extracting a code object includes, in an embodiment, searching the textof a configuration code file for a predetermined string. For example, acode object may be a text field identifying a type of workload, a nameof a workload, a network address, a name in a namespace, a role, apermission, and the like. In some embodiments, a plurality of codeobjects are extracted from the received code.

At S230, a security graph is traversed to detect a node in the graphcorresponding to the extracted first code object. In an embodiment,traversing the security graph includes sending a request through an APIof a graph database hosting the security graph to search the graph for astring, a value, and the like, which corresponds to the first codeobject. For example, if the first code object includes a secret, such asa private key (i.e., an alphanumerical representation), the securitygraph is traversed to detect a node which represents a matching publickey (e.g., public key node). In an embodiment, the public key node isconnected to a resource node representing a resource which utilizes thepublic key.

In some embodiments, a query directed at the security graph includes aplurality of clauses. In an embodiment, multiple-clause query isgenerated to search for container nodes (i.e., nodes representingcontainers) which are connected to a node representing the public key.It is noted that detecting a node which corresponds to the extractedfirst object includes, in an embodiment, detecting a node which is not anode representing a workload corresponding to the first object.

For example, executing code of the first code object results, in anembodiment, in deploying a first load balancer in a virtual privatecloud (VPC). In an embodiment, a node is generated in a security graphto represent the first load balancer deployed in a cloud computingenvironment. The node representing the load balancer is connected to anode representing the VPC.

An advantage of the disclosed method is that attributes of the firstcode object detected in the graph allows detecting nodes representingcybersecurity issues, nodes representing workloads, enrichment nodes,and the like, prior to the generation of an instance based on the codeobject. This allows detecting a security risk in an instance prior to itbeing deployed in a computing environment. In the above example, as thecode of the first code object includes instructions to deploy in theVPC, the VPC node is detected (based, for example, on detecting anidentifier of the VPC in the code) in the security graph. Cybersecurityrisks represented by nodes connected to the VPC node are detected, forexample by querying the security graph.

At S240, a check is performed to determine if a node is detected. If‘no’ execution may continue at S270. In an embodiment, if a node is notdetected (e.g., the node does not exist), a new node is generated in thesecurity graph to represent the first code object. If a node is detectedexecution continues to S250.

At S250, a check is performed to determine if the detected nodecorresponds to a previously determined cybersecurity issue, such as acybersecurity risk factor, vulnerability, misconfiguration, and thelike. A risk factor, vulnerability, misconfiguration, and the like, maybe, for example, access to a network resource (such as the internet),access from a network resource, outdated software, privilege escalation,and the like. In an embodiment, a risk factor score is furtherdetermined. In some embodiments, the score indicates the severity of therisk, such as ‘low’, ‘medium’, ‘high’, and ‘critical’. In an embodiment,the previously determined cybersecurity issue is detected by inspectinga disk for a cybersecurity object. In some embodiments, a detectedcybersecurity issue is represented as a node in a security graph,connected to a node representing a resource on which the cybersecurityissue was detected.

In an embodiment, a mitigation instruction corresponding to the riskfactor score is executed. In some embodiments, the risk factor isindicated by metadata associated with the detected node of S240. If thedetected node corresponds to a previously determined cybersecurity issueexecution continues at S260; otherwise, execution continues at S270.

In an embodiment, a vulnerability is represented on the security graphby a node. As an example, a node representing a workload is connected toa node representing a vulnerability. Where a workload node is thedetected node, a cybersecurity vulnerability is associated with the codeobject.

At optional S260 a notification is generated to indicate that a securityrisk has been detected in the configuration code. In an embodiment thenotification is sent to a client device, a user account, a combinationthereof, and the like, which authored the code. Code authors aredetermined, in an embodiment, by a user account identifier present inthe configuration code.

In some embodiments, the notification includes an indicator to specifywhy the notification is generated. In certain embodiments an instructionto perform a mitigation action is generated. In the example above, analert (i.e., notification) is generated in response to detecting that aworkload includes an outdated software version, and the alert includesthe current software version which would need to be configured in theconfiguration code in order to mitigate the risk of deploying a workloadwith an outdated software version.

At S270 a check is performed to determine if another code object shouldbe inspected. If ‘yes’ execution continues at S220, otherwise executionterminates.

FIG. 3 is a schematic illustration of a portion of a security graph 300for cybersecurity risk assessment of virtual instances in a cloudcomputing environment, implemented in accordance with an embodiment. Thegraph 300, which in an embodiment is stored in a graph database,includes a plurality of nodes. In an embodiment, a node represents aresource, principal, metadata, enrichment data, and the like.

In an embodiment, the graph 300 includes a first cloud key node 310(representing a first cloud key) and a second cloud key node 320(representing a second cloud key), which are connected to a user accountnode 340 (representing a user account). A third cloud key node 330(representing a third cloud key) is connected to a service account node360 (representing a service account). The user account node 340 andservice account node 360 are connected to an identity and accessmanagement (IAM) object node 350 (representing an IAM object).

In an embodiment, a cloud key provides temporary access, permanentaccess, and the like, between a first workload and a second workload. Insome embodiments, one or more first workloads and one or more secondworkloads may be on the same tenant, on different tenants, or on acombination thereof. In an embodiment, cloud keys are embedded into textconfiguration files, structured configuration files (e.g., JSON, YAML,XML, etc.), scripts, source code, and the like. Example implementationsof cloud keys include AWS IAM access keys, OAuth® refresh tokens, accesstokens, and the like.

By generating a security graph 300 including such nodes and populatingit with data representing the cloud computing environment allowsassessing of cybersecurity risks. For example, if a first cloud key iscompromised, it is readily apparent what other objects are vulnerable asa result, by querying the security graph 300 and detecting cloudentities which are represented by nodes connected to, for example, anode representing the first cloud key. In an embodiment each nodefurther stores metadata and data relating to the object. For example, acloud key node 320 may include therein a unique account identifier.

In some embodiments, the security graph 300 further includes arepresentation of a cybersecurity issue. For example, a misconfigurationis represented by a node in the security graph, in an embodiment. In anembodiment a node representing a cybersecurity issue is connected to anode which represents a resource. This is performed to indicate that theresource includes the cybersecurity issue. For example, an inspector isconfigured to detect a cybersecurity issue, and detects thecybersecurity issue on a software container which is inspected by theinspector. In an embodiment, a security graph is updated to include anode representing the software container connected to a noderepresenting the cybersecurity issue.

In certain embodiments, generating a node representing a cybersecurityissue allows to reduce redundant information stored in a graph database,where storing a connection requires less resources than storinginformation about the cybersecurity issue in each node representing aresource where the cybersecurity issue is detected. This allows compactrepresentation, thereby reducing computer resource consumption. Thisfurther allows to rapidly detect all resources having a certaincybersecurity issue, as rather than querying each node to determine ifthe node includes information on a specific cybersecurity issue, asingle node is queried to detect nodes connected to it. This reduces theamount of processing required on a database search.

FIG. 4 is a schematic illustration of a code inspector 180 implementedaccording to an embodiment. The code inspector 180 may be implemented asa physical machine or a virtual workload, such as a virtual machine orcontainer.

When implemented as a physical machine, the code inspector 180 includesat least one processing circuity 410, for example, a central processingunit (CPU). In an embodiment, the processing circuity 410 may be, or bea component of, a larger processing unit implemented with one or moreprocessors. The one or more processors may be implemented with anycombination of general-purpose microprocessors, microcontrollers,digital signal processors (DSPs), field programmable gate array (FPGAs),programmable logic devices (PLDs), controllers, state machines, gatedlogic, discrete hardware components, dedicated hardware finite statemachines, or any other suitable entities that can perform calculationsor other manipulations of information. In certain embodiments it may beadvantageous for the at least one processing circuity 410 to furtherinclude one or more general purpose graphic processor units (GPGPUs).For example, for comparing and generating digests, a GPGPU may haveimproved performance over a CPU.

The processing circuity 410 is coupled via a bus 405 to a memory 420.The memory 420 may include a memory portion 425 that containsinstructions that when executed by the processing element 410 performsthe method described in more detail herein. The memory 420 may befurther used as a working scratch pad for the processing element 410, atemporary storage, and others, as the case may be. The memory 420 may bea volatile memory such as, but not limited to random access memory(RAM), or non-volatile memory (NVM), such as, but not limited to, Flashmemory. The memory may further include a memory portion 425 which isused to store objects extracted from a configuration code.

The processing element 410 may be coupled to a network interfacecontroller (NIC) 430, which provides connectivity to one or more cloudcomputing environments, such as the first cloud computing environment140 of FIG. 1 , via a network.

The processing element 410 may be further coupled with a storage 440.The storage 440 may be used for the purpose of holding a copy of themethod executed in accordance with the disclosed technique. The storage440 may include a storage portion 445 containing a configuration codefor deployment in a cloud computing environment.

The processing element 410 and/or the memory 420 may also includemachine-readable media for storing software. Software shall be construedbroadly to mean any type of instructions, whether referred to assoftware, firmware, middleware, microcode, hardware descriptionlanguage, or otherwise. Instructions may include code (e.g., in sourcecode format, binary code format, executable code format, or any othersuitable format of code). The instructions, when executed by the one ormore processors, cause the processing system to perform the variousfunctions described in further detail herein.

FIG. 5 is an example of a code object, shown in accordance with anembodiment. A code object 500 includes an object type 510. The objecttype 510 indicates, in this example, that this code object is a resourcetype, i.e. executing instructions related to this object will deploy aresource in a cloud computing environment. The object type furtherincludes data fields, such as instance type data field 512 and networkassociation data field 514. The instance type 512 specifies what type ofresource is to be deployed, in this case the instance type is at2.micro, which is a processing instance used in the AWS cloud computingenvironment. The network association field 514 indicates, in thisexample, that the instance should be associated with a specific virtualprivate cloud (VPC). In this example the code object is a data structurehaving parameters (or data fields) which can be customized to generateresources, accounts, and the like, in a cloud computing environment.

The various embodiments disclosed herein can be implemented as hardware,firmware, software, or any combination thereof. Moreover, the softwareis preferably implemented as an application program tangibly embodied ona program storage unit or computer readable medium consisting of parts,or of certain devices and/or a combination of devices. The applicationprogram may be uploaded to, and executed by, a machine comprising anysuitable architecture. Preferably, the machine is implemented on acomputer platform having hardware such as one or more central processingunits (“CPUs”), a memory, and input/output interfaces. The computerplatform may also include an operating system and microinstruction code.The various processes and functions described herein may be either partof the microinstruction code or part of the application program, or anycombination thereof, which may be executed by a CPU, whether or not sucha computer or processor is explicitly shown. In addition, various otherperipheral units may be connected to the computer platform such as anadditional data storage unit and a printing unit. Furthermore, anon-transitory computer readable medium is any computer readable mediumexcept for a transitory propagating signal.

All examples and conditional language recited herein are intended forpedagogical purposes to aid the reader in understanding the principlesof the disclosed embodiment and the concepts contributed by the inventorto furthering the art, and are to be construed as being withoutlimitation to such specifically recited examples and conditions.Moreover, all statements herein reciting principles, aspects, andembodiments of the disclosed embodiments, as well as specific examplesthereof, are intended to encompass both structural and functionalequivalents thereof. Additionally, it is intended that such equivalentsinclude both currently known equivalents as well as equivalentsdeveloped in the future, i.e., any elements developed that perform thesame function, regardless of structure.

It should be understood that any reference to an element herein using adesignation such as “first,” “second,” and so forth does not generallylimit the quantity or order of those elements. Rather, thesedesignations are generally used herein as a convenient method ofdistinguishing between two or more elements or instances of an element.Thus, a reference to first and second elements does not mean that onlytwo elements may be employed there or that the first element mustprecede the second element in some manner. Also, unless statedotherwise, a set of elements comprises one or more elements.

As used herein, the phrase “at least one of” followed by a listing ofitems means that any of the listed items can be utilized individually,or any combination of two or more of the listed items can be utilized.For example, if a system is described as including “at least one of A,B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C;3A; A and B in combination; B and C in combination; A and C incombination; A, B, and C in combination; 2A and C in combination; A, 3B,and 2C in combination; and the like.

What is claimed is:
 1. A method for detecting a vulnerable code objectin configuration code for deploying instances in a cloud computingenvironment, comprising: accessing a configuration code, theconfiguration code including a plurality of code objects, each codeobject of the plurality of code objects corresponding to a deployablevirtual instance; querying a security graph to detect a node having anattribute value which matches a value extracted from a first code objectof the plurality of code objects, wherein the security graph includes arepresentation of a cloud computing environment; and generating amitigation action in response to determining that the detected node isassociated with a cybersecurity issue.
 2. The method of claim 1, furthercomprising: generating an alert based on the cybersecurity issue.
 3. Themethod of claim 1, further comprising: deploying a virtual instancebased on the first code object in response to determining that thedetected node is not connected to a node representing a cybersecurityissue.
 4. The method of claim 1, further comprising: detecting in theconfiguration code a data field of a code object having any one of: astring, and a value.
 5. The method of claim 4, wherein the data fieldrepresents any one of: a private key identifier, a public keyidentifier, a policy identifier, a user account identifier, a serviceaccount identifier, a version identifier, and a resource typeidentifier.
 6. The method of claim 1, further comprising: generating aquery directed at the security graph, the query including an identifierof the first code object.
 7. The method of claim 6, wherein theidentifier is any one of: a user account identifier, a service accountidentifier, a version identifier, and a resource type identifier.
 8. Themethod of claim 1, further comprising: traversing the security graph todetect a node, wherein the node represents the first code object,wherein a node representing the first code object includes a data fieldvalue which matches with a data field value of the first code object. 9.The method of claim 1, wherein the cybersecurity risk is represented bya risk node in the security graph, and the detected node is connected tothe risk node.
 10. A non-transitory computer readable medium havingstored thereon instructions for causing a processing circuitry toexecute a process, the process comprising: accessing a configurationcode, the configuration code including a plurality of code objects, eachcode object of the plurality of code objects corresponding to adeployable virtual instance; querying a security graph to detect a nodehaving an attribute value which matches a value extracted from a firstcode object of the plurality of code objects, wherein the security graphincludes a representation of a cloud computing environment; andgenerating a mitigation action in response to determining that thedetected node is associated with a cybersecurity issue.
 11. A system fordetecting a vulnerable code object in configuration code for deployinginstances in a cloud computing environment, comprising: a processingcircuitry; and a memory, the memory containing instructions that, whenexecuted by the processing circuitry, configure the system to: access aconfiguration code, the configuration code including a plurality of codeobjects, each code object of the plurality of code objects correspondingto a deployable virtual instance; query a security graph to detect anode having an attribute value which matches a value extracted from afirst code object of the plurality of code objects, wherein the securitygraph includes a representation of a cloud computing environment; andgenerate a mitigation action in response to determining that thedetected node is associated with a cybersecurity issue.
 12. The systemof claim 11, wherein the memory includes further instructions which whenexecuted by the processing circuitry further configure the system to:generate an alert based on the cybersecurity issue.
 13. The system ofclaim 11, wherein the memory includes further instructions which whenexecuted by the processing circuitry further configure the system to:deploy a virtual instance based on the first code object in response todetermining that the detected node is not connected to a noderepresenting a cybersecurity issue.
 14. The system of claim 11, whereinthe memory includes further instructions which when executed by theprocessing circuitry further configure the system to: detect in theconfiguration code a data field of a code object having any one of: astring, and a value.
 15. The system of claim 14, wherein the data fieldrepresents any one of: a private key identifier, a public keyidentifier, a policy identifier, a user account identifier, a serviceaccount identifier, a version identifier, and a resource typeidentifier.
 16. The system of claim 11, wherein the memory includesfurther instructions which when executed by the processing circuitryfurther configure the system to: generate a query directed at thesecurity graph, the query including an identifier of the first codeobject.
 17. The system of claim 16, wherein the identifier is any oneof: a user account identifier, a service account identifier, a versionidentifier, and a resource type identifier.
 18. The system of claim 11,wherein the memory includes further instructions which when executed bythe processing circuitry further configure the system to: traverse thesecurity graph to detect a node, wherein the node represents the firstcode object, wherein a node representing the first code object includesa data field value which matches with a data field value of the firstcode object.
 19. The system of claim 11, wherein the cybersecurity riskis represented by a risk node in the security graph, and the detectednode is connected to the risk node.